Companies and public sector bodies should share more cyber experience and data to help raise standards in the UK. This was the rallying cry from speakers at the Institute of Risk Managers cyber conference in London on June 11.
Don Randall, who was appointed as the first chief information security officer (CISO) at the Bank of England in 2013, told the audience “partnership is the only way to succeed” against cyber threat in the UK.
“Work together and we will all combat the adversaries, whomever they may be and our commercial edge will still remain,” Randall continued.
Randall, who previously spent more than 25 years in the City of London police, lamented the lack of central repository in the UK for cyber intelligence from both public and private sectors, but highlighted that many successful partnership arrangements existed in the UK, including the government and law enforcement.
One example was Project Griffin, a police counter-terrorism initiative coordinating the resources of the police, emergency services, local authorities, business and the private sector security industry. Since launching in London in 2004, the project has spread through the UK, India, Australia, Canada and New York (where it is known as Shield).
“Using all the stakeholders as extra eyes, ears and minds has resulted in huge benefits. Project Griffin has proven over 10 years that partnership and sharing of information works. No-one has abused what they’ve been told during that time and therefore we’ve proven the point on partnerships,” Randall said.
Kevin Williams, from the national cyber crime unit in the UK’s National Crime Agency underlined this work, explaining that his 200-strong team was educating companies and their boards of directors on cyber preparedness, based on its own experiences and intelligence.
The National Crime Agency is also engaging academia to help understand what drives amateur computer users to turn to criminality. It also facilitates the Cyber Security Information Platform (CERT-UK) – a partnership group that shares information on previous events.
In the spirit of sharing, Randall said the Bank of England sustains around 7-8 cyber incidents a week, ranging from denial of service, malware and spearphishing.
“We have to get into the frame of mind to share attempts and suspicions around cyber activity. Share what you do wrong. Get talking”, he said.
Alastair Allison, interim chief risk officer at insurer Zurich Insurance shared that his company had sustained a cyber attack in recent years and had made a corporate decision to discuss the incident with other corporations, to enhance preparedness.
The UK operation of Zurich Insurance was fined £2.3 million in 2010 by the Financial Services Authority (FSA) for losing personal details of 46,000 customers. That was the largest fine levied to date on a single firm for data security failings.
Allison noted, however, that the remediation costs of the event grossly overshadowed this figure. “Remediation costs were 10, 15, 20 times that number,” he told the IRM conference audience.
Allison added that information sharing among peers, especially in regulated sectors like financial services, can be difficult.
“I know that what I’m asking is aspirational, but groups do exist, such as the Association of Briitsh Insurers working group, which operates under Chatham House rules.
“The key is to get the dialogue and trust going under Chatham House rules and then get it growing. This takes a lot of time, effort and courage of a few leaders to start with. But it’s worth it,” Allison said.
He noted that since early 2014, the financial services sector in the UK had access to CISP (Cyber Security Information Sharing Partnership). CISP lets the government and industry share information on current threats and managing incidents on a secure platform.
After a successful pilot involving 160 companies across 5 sectors – defence, finance, pharmaceuticals, energy and telecommunications – this month, the CISP opened to companies beyond critical national infrastructure sectors, including small and medium-sized businesses.